AdministratorNovember 15, 2023 at 12:56 am
Thanks for your feedback.
1.) How applying nACL can impact on workload??
>> If other applications within the same subnet as the proxy server require access to S3, configuring an NACL on the said subnet that blocks outbound traffic to S3 endpoints would inadvertently block these applications as well.
2) How the right answers can restrict the rogue? We changed the access method from “public” S3 endpoints to “private – gateway”, it’s ok. But the rogue can use this “gateway endpoint” the same way, getting the data from one bucket and put to another one within “private AWS network”
>> There are many possible ways one might try to exfiltrate data. VPC gateway, of course, is not an end-be-all solution; rather, it’s just one of the options you can use to mitigate the kind of threat mentioned in the scenario. Using a VPC Gateway Endpoint allows you to connect privately to an S3 bucket, and it lets you configure endpoint policies to restrict who and which bucket can be accessed through that endpoint. This is one of the ways to cut down, or at least put a leash on, a user’s access to the bucket. With the right endpoint policies, a user cannot just transfer data between the S3 bucket and a private AWS network. I understand that the answer could be better worded by mentioning the use of endpoint policies. We’ll review this item and make the necessary revisions to improve it.
Let me know if you have further questions.
Carlo @ Tutorials Dojo